Stellar Exam

Download as pdf or txt
Download as pdf or txt
You are on page 1of 18

1. Which of the following describes a threat’s relationship to a Vulnerability?

• A threat is the agent or actor that can or intends to cause harm via a
Vulnerability.
• A threat is the flaw that can be exploited to cause harm via a
vulnerability.
• A threat is the intersection of a vulnerability and the risk of harm.
• A threat is the code or technique by which vulnerabilities are taken
advantage of.

2. Which of the following options can be added to the config on an OpenSSH


server to disable any sort of port forwarding?
• AllowTCPForwarding No
• DenySSHForwarding Yes
• PermitTCPForwarding No
• BlockSSHForwarding Yes

3. Which of the following describes a singles payload in Metasploit?


• Payloads that work only one time.
• Payloads with a single communication option.
• Payloads that include both functionality and communication bundled
together.
• Payloads with a single functionality.

4. The Windows Type command is similar to which Linux command?


• file
• less
• grep
• cat

5. A penetration tester obtains user-level access to a target machine and is about


to start uploading their tools. Their objective is to use the newly obtained
access as a pivot to attempt further penetration of the network. Which of the
following options are file/programs that could help the penetration tester to
achieve their objective?
• Local privilege escalation exploits, Operating system patches, Additional
legitimate file transfer services.
• Network sniffers, Local privilege escalation exploits, Operating system
patches.
• Network sniffers, Local privilege escalation exploits, Private keys
obtained from other penetrated systems.
• Operating system patches, Additional legitimate file transfer services,
Private keys obtained from other penetrated systems.
6. What protocol is used by nmap by default for host discovery when the target is
on the same network segment?
• ARP
• ICMP (Echo Request)
• PING
• TCP

7. Reconnaissance activity against a target network should ideally attempt to


meet which criteria?
• Active traffic capture
• Zero touch interaction
• Scanner based results.

8. A victim’s NTLMv2 authentication traffic is relayed through an attacker’s


machine in order to allow the attacker to gain unauthorized access to a
Windows server. Which protocol was relayed by the attacker?
• DHCP
• Kerberos
• ARP
• SMB

9. What security issue was address by the implementation of shadow passwords


on Unix systems?
• /etc/passwd need to be world writeable, which enables users to change
the plaintext passwords in the file.
• /etc/passwd needs to be world writeable, which enables users to
change the password hashes in the file.
• /etc/passwd needs to be a world readable, which enables users to view
plaintext passwords in the file.
• /etc/passwd needs to be world readable, which enables users to view
the password hashes in the file.

10. When building dictionaries foe password attacks, which of the following
commands demonstrates one way to ensure there aren’t duplicate entries
within your list?
• $ mysql < wordlist.txt | select * where X = % > dictionary.txt
• $ cat wordlist.txt-dup > dictionary.txt
• $ cat wordlist.txt | grep -v duplicates | > dictionary.txt
• $ cat wordlist.txt | sort | uniq > dictionary.txt.

11. Azure Active Directory is an example of which type of cloud service platform?
• PaaA (Platform as a Service)
• SaaS (Software as a Service)
• CaaS (Computing as a Service)
• IaaS (Infrastructure as a Service)
12. During the reconnaissance phase of a penetration test, which location is a good
place to determine the type of antivirus product that a company uses?
• Outbound Email footer
• Dumpster
• Phone records
• Public facing website.

13. You want to find out what ports a system is listening on. What is the correct
command on a Linux system?
• fport /p
• lsof -nao
• tasklist /v
• netstat -nap

14. Analyze the excerpt from a packet capture below. Given the host is up, what
conclusion can be correctly drawn about host 192.168.116.101?
• It is providing services only on port 139/TCP.
• It is redirecting traffic on behalf of another host.
• It is resetting connection attempts on tcp ports 130-140
• It is not responding to connection attempts on tcp ports 130-140.

15. Analyze the screenshot below. Which of the following sets of results will be
retrieved using this search?

• Pages from the domain sans.edu that have external links.


• Pages that contain the term ext:php and site:sans.edu.
• Files of type .php from the domain sans.edu.
• Files of type .php that redirect to the sans.edu domain.

16. Your company has been hired to conduct a penetration test against a large,
multinational organization. They would like you to test their entire
organization, which consists of approximately 10,000 IP address. In order to cut
down on the time and costs associated with the test would like to limit the
scope of the port scan. Which of the following would be best to use if the
company was willing to provide you with whatever network data you required?
• Scan only a subset of all ports that are possibly in use.
• Scan only a subset of the target servers in each subnet.
• Scan only the ports that are listed as open by the perimeter firewall
ruleset.
• Scan only a certain percentage of al systems in the company.
17. You are pen testing a system and want to use Metasploit to open a listening
port on the system to be accessed via Netcat. Which stager would you use to
have the system listen on TCP port 50000?
• findtag_ord
• reverse_tcp
• passive
• bind_tcp

18. The scope of a test is limited to server-side applications. Which of the following
actions is allowed in this test?
• Sending a malicious pdf to a user and exploiting a vulnerable Reader
version.
• Leaving malicious flash drives in the employees work areas.
• Attempting to upload content to a vulnerable internal IIS server.
• Attempting to get a user to reveal his password through social
engineering.

19. Which of the following is a characteristic of Azure Smart Lockout?


• It is not enabled by default for tenats or users.
• Lockout counters are the same regardless of geographic region.
• It can be integrated with hybrid deployments.
• Organizations cannot customize the lockout features.

20. Which of the following is a benefit of a pass-the-hash attack over traditional


password attacks?
• No alteration of the LSASS process.
• No triggering of IDS signature from the attack.
• No account lockout.

21. You are pen testing a Windows System remotely via Netcat. You want to get a
listing of all the local users on the system, what command would you use?
• net user
• net localuser
• net account
• net name

22. You are pen testing a Windows system remotely via Netcat. You want to gather
information on remote systems that the target has communicated with
recently. What command could you use?
• ipconfig /displaydns
• net displaydns
• ifconfig /displaydns
• net /displaydns
23. Finding and reporting vulnerabilities in a system without the intent to exploit
them is an example of what practice?
• Penetration Testing
• Compliance Auditing
• Ethical Hacking
• Vulnerability Assessment.

24. How can an organization’s security team protect against credential stuffing
attacks?
• Issue a cease-and-desist order on websites that publish breach
information.
• Train employees on the use of a password manager.
• Require initial passwords be changed upon first login.
• Use the login API of a secondary organization to authenticate.

25. What section of the penetration test or ethical hacking engagement final report
is used to communicate the agreed upon scope of the test?
• Introduction.
• Conclusions.
• Findings.
• Executive Summary.

26. A hacker has discovered that the C:\ path on a Windows machine is writable.
They install an executable called Program.exe in C:\ to try to trick the Windows
service controller into running it with elevated privileges. What vulnerability is
the hacker exploiting?
• Group Policy Preferences (GPP)
• DLL search order hijacking
• Writable Windows Service executables
• Unquoted paths with spaces.

27. While executing an Nmap NSE scan of a target network, the objective of the
scan is to avoid logs or otherwise impacting the target network. Which category
of Nmap scripts should be avoided?
• Malware
• Intrusive
• Discovery
• Safe
28. You are completing a penetration test in which client-side exploit are in scope.
You’ve loaded a weaponized PDF onto a server and sent a crafted email to the
target. Which of the following is required for this attack to succeed?

• The target’s web browser must contain an exploitable vulnerability.


• The target’s PDF client must run with root privileges.
• The client’s email program must have automatic preview of links
enabled.
• The personal firewall on the target machine must allow outbound
access to port 8080.

29. What factual conclusion can be drawn from the following output after issuing
Nmap with the “-A” parameter?
• Firewall service running on port 8081.
• Fingerprint not recognized for service on port 8081.
• nmap-service-probe file could not be found.
• “—version-trace option” is set.

30. During the reconnaissance phase of a penetration test, the tester finds the
current message board posting shown below from an employee of the
corporating being tested. What conclusion can be drawn about the
corporation´s current security situation?

• Attacks may go unnoticed.


• Access control is strict.
• The firewall is misconfigured.
• Security personnel are attentive.

31. You are pen testing a Windows system remotely via Netcat. You want to get a
listing of all the local users in the administrators group. What command would
you use?
• net localgroup administrators
• net account administrators
• net localuser administrators
• net user administrators

32. Which site is a repository for high quality free exploits?


• StormCenter
• Sourceforge
• Packetstorm
• Snort
33. What Windows privilege escalation flaw would an attacker be trying to exploit
by running the following command on a Windows system?

findstr /S cpassword %LOG0NSERVER%

• AlwaysInstallElevated registry keys


• Group Policy Preferences (GPP)
• DLL search order hijacking
• Unattended installation files

34. What is the purpose of the following commands?

• The first command creates a backdoor shell as a service. It is being


started on UDP 2222 using cmd.exe. The second command verifies the
service is created and its status.
• The first command verifies the service is created and its status. The
second command creates a backdoor shell as a service. It is being
started on TCP 2222 connected to cmd.exe.
• This creates a service called ncservice which is linked to the cmd.exe
command and is designed to stop any instance of nc.exe being run. The
second command verifies the service is created and its status.
• This creates a service called cmd.exe which is linked to the ncservice
command. The second command verifies the service is created and its
status.
• The first command creates a backdoor shell as a service. Its being
started on TCP 2222 using cmd.exe. The second command verifies the
service is created and its status.

35. Which of the following TCP packet sequences are common during a SYN (or
half-open) scan?
• The scanning computer sends SYN and a SYN-FIN is received from the
target computer.
• The scanning computer sends SYN-ACK and the target computer
responds with RST-ACK.
• The scanning computer sends SYN-ACK and no response is received
from the target computer.
• The scanning computer sends SYN and the target computer responds
with RSAT-ACK.
36. What does the command, “./john --test” do?
• John will display statistics about how many combinations per second it
can perform on a given machine.
• John will test the system configuration to ensure that it is installed
correctly.
• John will verify the configurations file for errors.
• John will print an estimate of the time it needs to crack a given
password file.

37. During the pentest, Maria, the head of the blue team, discovered that the new
online service has problems with the authentication mechanism. The old
password can be reset by correctly answering the secret question, and the
sending form does not have protection using a CAPTCHA, which allows a
potential attacker to use a brute force attack. What is the name of such an
attack in the Enumeration of Common Disadvantages (CWE)?
• User impersonation.
• Weak password recovery mechanism.
• Verbose failure messages.
• Insecure transmission of credentials.

38. What is the "wget 192.168.0.10 -q -S" command used for?


• Performing content enumeration on the web server to discover hidden
folders.
• Using wget to perform banner grabbing on the webserver.
• Download all the contents of the web page locally.
• Flooding the web server with requests to perform a DoS attack.

39. Which of the following types of attack does the use of Wi-Fi Pineapple belong
to run an access point with a legitimate-looking SSID for a nearby business?
• MAC spoofing attack
• Evil-twin attack
• Phishing attack
• Wardriving attack

40. In which of the following Logging framework was a vulnerability discovered in


December 2021 that could cause damage to millions of devices and Java
applications?
• Apache Commons Logging
• SLF4J
• Logback
• Log4J
41. The attacker wants to draw a map of the target organization's network
infrastructure to know about the actual environment they will hack. Which of
the following will allow him to do this?
• Vulnerability analysis
• Network enumeration
• Scanning networks
• Malware analysis

42. Which of the following is a Metasploit post-exploitation module that is used to


escalate privileges on systems?
• keylogrecorder
• getsystem
• getuid
• autoroute

43. The company "Work Town" hired a cybersecurity specialist to perform a


vulnerability scan by sniffing the traffic on the network to identify the active
systems, network services, applications, and vulnerabilities. What type of
vulnerability assessment should be performed for "Work Town"?
• Passive assessment.
• External assessment.
• Active assessment.
• Internal assessment.

44. Whois services allow you to get a massive amount of valuable information at
the stage of reconnaissance. Depending on the target's location, they receive
data from one of the five largest regional Internet registries (RIR). Which of the
following RIRs should the Whois service contact if you want to get information
about an IP address registered in France?
• LACNIC
• APNIC
• RIPE NCC
• ARIN

45. The cyber kill chain is essentially a cybersecurity model created by Lockheed
Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and
helps security teams to stop the attacks at every stage of the chain. At what
stage does the intruder transmit the malware via a phishing email or another
medium?
• Delivery
• Actions on Objective
• Weaponization
• Installation
46. Black-hat hacker Ivan attacked the SCADA system of the industrial water
facility. During the exploration process, he discovered that outdated equipment
was being used, the human- machine interface (HMI) was directly connected to
the Internet and did not have any security tools or authentication mechanism.
This allowed Ivan to control the system and influence all processes (including
water pressure and temperature). What category does this vulnerability belong
to?
• Credential Management.
• Code Injection.
• Lack of Authorization/Authentication and Insecure Defaults.
• Memory Corruption.

47. You need to identify the OS on the attacked machine. You know that TTL: 64
and Window Size: 5840. Which is OS running on the attacked machine?
• Windows OS.
• Linux OS.
• Mac OS.
• Google’s customized Linux.

48. Which of the scenarios corresponds to the behaviour of the attacker from the
example below:
The attacker created and configured multiple domains pointing to the same
host to switch quickly between the domains and avoid detection.
• Data staging.
• Unspecified proxy activities.
• DNS tunnelling.
• Use of command-line interface.

49. Adam is a shopaholic, and he constantly surfs on the Internet in search of


discounted products. The hacker decided to take advantage of this weakness of
Adam and sent a fake email containing a deceptive page link to his social media
page with information about a sale. Adam anticipating the benefit didn't notice
the malicious link, clicked on them and logged in to that page using his valid
credentials. Which of the following tools did the hacker probably use?
• Evilginx
• XOIC
• PyLoris
• sixnet-tools

50. Which of the following services is running on port 21 by default?


• Service Location Protocol
• File Transfer Protocol
• Border Gateway Protocol
• Domain Name System
51. The date and time of the remote host can theoretically be used against some
systems to use weak time-based random number generators in other services.
Which option in Zenmap will allow you to make ICMP Timestamp ping?
• -PN
• -PU
• -PY
• -PP

52. Ivan, a black hat hacker, got the username from the target environment. In
conditions of limited time, he decides to use a list of common passwords, which
he will pass as an argument to the hacking tool. Which of the following is the
method of attack that Ivan uses?
• Dictionary attack.
• Known plaintext attack.
• Smudge attack.
• Password spraying attack.

53. Identify the correct sequence of steps involved in the vulnerability-


management life cycle.
• Vulnerability scan -> Identify assets and create a baseline -> Risk
assessment -> Remediation -> Verification -> Monitor.
• Remediation -> Monitor -> Verification -> Vulnerability scan -> Risk
assessment - > Identify assets and create a baseline.
• Vulnerability scan -> Risk assessment -> Identify assets and create a
baseline -> Remediation -> Monitor -> Verification.
• Identify assets and create a baseline -> Vulnerability scan -> Risk
assessment -> Remediation -> Verification -> Monitor.

54. When scanning with Nmap, you found a firewall. Now you need to determine
whether it is a stateful or stateless firewall. Which of the following options is
best for you to use?
• -sT
• -sA
• -sM
• -sO

55. Identify Google advanced search operator which helps an attacker gather
information about websites that are similar to a specified target URL?
• [inurl:]
• [link:]
• [site:]
• [related:]
56. Which of the following standards is most applicable for a major credit card
company?
• FISMA
• Sarbanes-Oxley Act
• HIPAA
• PCI-DSS

57. sqlmap.py -u "http://10.10.37.12/?p=1&forumaction=search" --dbs


Which of the following does this command do?
• Creating backdoors using SQL injection.
• Retrieving SQL statements being executed on the database.
• Searching database statements at the IP address given.
• Enumerating the databases in the DBMS for the URL.

58. Ivan, an evil hacker, spreads Emotet malware through the malicious script in
the organization he attacked. After infecting the device, he used Emote to
spread the infection across local networks and beyond to compromise as many
machines as possible.
He reached this thanks to a tool which is a self-extracting RAR file (containing
bypass and service components) to retrieve information related to network
resources such as writable share drives.
What tool did Ivan use?
• Credential enumerator
• Outlook scraper
• NetPass.exe
• Mail PassView

59. Which of the following frameworks contains a set of the most popular tools
that facilitate your tasks of collecting information and data from open sources?
• BeEF
• WebSploit Framework
• Speed Phish Framework
• OSINT framework

60. Identify the type of SQLi by description: This type of SQLi doesn't show any
error message. Its use may be problematic due to as it returns information
when the application is given SQL payloads that elicit a true or false response
from the server. When the attacker uses this method, an attacker can extract
confidential information by observing the responses.
• Out-of-band SQLi
• Blind SQLi
• Error-based SQLi
• Union SQLi
61. Which of the following is the best description of the final phase of every
successful hacking - Clearing tracks?
• During a cyberattack, a hacker injects a rootkit into a server.
• During a cyberattack, a hacker corrupts the event logs on all machines.
• A hacker gains access to a server through an exploitable vulnerability.
• After a system is breached, a hacker creates a backdoor.

62. The company hired a cybersecurity specialist to conduct an audit of their


mobile application. On the first day of work, the specialist suggested starting
with the fact that he would extract the source code of a mobile application and
disassemble the application to analyze its design flaws. He is sure that using
this technique, he can fix bugs in the application, discover underlying
vulnerabilities, and improve defence strategies against attacks. Which of the
following techniques will the specialist use?
• Jailbreaking.
• Application sandboxing.
• Rooting.
• Reverse engineering.

63. What is the name of a popular tool (or rather, an entire integrated platform
written in Java) based on a proxy used to assess the security of web
applications and conduct practical testing using a variety of built-in tools?
• Nmap
• CxSAST
• Wireshark
• Burp Suite

64. Which of the following is a rootkit that adds additional code or replaces
portions of the core operating system to obscure a backdoor on a system?
• Kernel-level rootkit.
• Hypervisor-level rootkit.
• User-mode rootkit.
• Application-level Rootkit.

65. Enabling SSI directives allows developers to add dynamic code snippets to static
HTML pages without using full-fledged client or server languages. However,
suppose the server is incorrectly configured (for example, allowing the exec
directive) or the data is not strictly verified. In that case, an attacker can change
or enter directives to perform malicious actions. What kind of known attack are
we talking about?
• CRLF injection
• Server-side JS injection
• Server-side template injection
• Server-side includes injection
66. At which of the following steps of the Cyber Kill Chain is the creation of a
malware weapon, for example, such as a malicious file disguised as a financial
spreadsheet?
• Exploitation
• Delivery
• Reconnaissance
• Weaponization

67. John sends an email to his colleague Angela and wants to ensure that the
message will not be changed during the delivery process. He creates a
checksum of the message and encrypts it using asymmetric cryptography. What
key did John use to encrypt the checksum?
• His own private key.
• Angela's public key.
• Angela's private key
• His own public key.

68. Define Metasploit module used to perform arbitrary, one-off actions such as
port scanning, denial of service, SQL injection and fuzzing?
• Payload Module.
• Exploit Module.
• NOPS Module.
• Auxiliary Module.

69. Which of the following can be designated as "Wireshark for CLI"?


• tcpdump
• ethereal
• nessus
• John the Ripper

70. Alex, a cyber security specialist, should conduct a pentest inside the network,
while he received absolutely no information about the attacked network. What
type of testing will Alex conduct?
• External, Black-box.
• Internal, White-box.
• Internal, Black-box.
• Internal, Grey-box.

71. Michael works as a system administrator. He receives a message that several


sites are no longer available. Michael tried to go to the sites by URL, but it
didn't work. Then he tried to ping the sites and enter IP addresses in the
browser - it worked. What problem could Michael identify?
• Traffic is Blocked on UDP Port 69
• Traffic is Blocked on UDP Port 88
• Traffic is Blocked on UDP Port 53
• Traffic is Blocked on UDP Port 56
72. Maria is surfing the internet and try to find information about Super Security
LLC. Which process is Maria doing?
• Enumeration
• Scanning
• Footprinting
• System Hacking

73. Andrew is conducting a penetration test. He is now embarking on sniffing the


target network. What is not available for Andrew when sniffing the network?
• Modifying and replaying captured network traffic.
• Identifying operating systems, services, protocols and devices.
• Capturing network traffic for further analysis.
• Collecting unencrypted information about usernames and passwords.

74. Elon plans to make it difficult for the packet filter to determine the purpose of
the packet when scanning. Which of the following scanning techniques will Elon
use?
• SYN/FIN scanning using IP fragments.
• IPID scanning.
• ICMP scanning.
• ACK scanning.

75. The firewall prevents packets from entering the organization through certain
ports and applications. What does this firewall check?
• Application layer headers and transport layer port numbers.
• Application layer port numbers and the transport layer headers.
• Presentation layer headers and the session layer port numbers.
• Network layer headers and the session layer port numbers.

76. For the company, an important criterion is the immutability of the financial
reports sent by the financial director to the accountant. They need to be sure
that the accountant received the reports and it hasn't been changed. How can
this be achieved?
• Use a protected excel file.
• Use a hash algorithm in the document once CFO approved the financial
statements.
• Financial reports can send the financial statements twice, one by email
and the other delivered in USB and the accountant can compare both.
• Reports can send to the accountant using an exclusive USB for that
document.
77. Which of the following protocols is used in a VPN for setting up a secure
channel between two devices?
• PPP
• IPSEC
• SET
• PEM

78. Which of the following Nmap's commands allows you to most reduce the
probability of detection by IDS when scanning common ports?
• nmap -A --host-timeout 99-T1
• nmap -sT -O -T0
• nmap-A-Pn
• nmap -sT -O -T2

79. What means the flag "-oX" in a Nmap scan?


• Run a Xmas scan.
• Output the results in truncated format to the screen.
• Run an express scan.
• Output the results in XML format to a file.

80. Analyze the command output below. Based on the output, what conclusion can
correctly be made about the target?

Starting Nmap 4.53 (http://insecure.or) at 2023-10-10


18:39 edt
Interesting ports on 192.168.116.9:

PORT STATE SERVICE VERSION


8181/TCP open unknown

• The service running on 8181/TCP did not complete a handshake.


• The target host is running a version of Linux.
• The service running on 8181/TCP is not recognized.
• The target host is filtering access to 8181/TCP.

You might also like